nixos/fossil-server: init #102221
nixos/fossil-server: init #102221
Conversation
There was a problem hiding this comment.
Thanks for your contribution. I have left a few comments I hope you find helpful. Additionally, it would be nice if the systemd unit had some hardening options applied against it.
If you have any questions at all, please do not hesitate to ask. I'm happy to help.
| config = mkIf cfg.enable { | ||
|
|
||
| networking.firewall.allowedTCPPorts = [ cfg.port ]; | ||
| systemd.services.fossil = { |
There was a problem hiding this comment.
There isn't any real need to run this as root. Maybe DynamicUser would be a good choice instead.
There was a problem hiding this comment.
Added the user and group options. I'm not sure if it's the best way, what do you think? The thing is that with customizable user/group, it's easy to manage permissions just by using chmod/chown and make fossil see just what it needs to see. Also I'm not sure if DynamicUser would persist between reboots which is desirable.
|
|
||
| networking.firewall.allowedTCPPorts = [ cfg.port ]; | ||
| systemd.services.fossil = { | ||
| preStart = if lib.strings.hasSuffix ".fossil" cfg.repository |
There was a problem hiding this comment.
You should replace this directory creation with systemd.tmpfiles.rules entries instead.
There was a problem hiding this comment.
You made me rethink this, and IMHO the place where repository points to should be created manually. Then, one can create/remove .fossil files as needed, and manage permissions etc.
|
|
||
| jsmode = mkOption { | ||
| type = types.str; | ||
| default = ""; |
There was a problem hiding this comment.
types.enum is what you're looking for here.
There was a problem hiding this comment.
That's much cleaner, thanks - fixed
| PrivateTmp = "yes"; | ||
| NoNewPrivileges = true; | ||
| ProtectSystem = "strict"; | ||
| CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH"; | ||
| RestrictNamespaces = "uts ipc pid user cgroup"; | ||
| ProtectKernelTunables = "yes"; | ||
| ProtectKernelModules = "yes"; | ||
| ProtectControlGroups = "yes"; | ||
| PrivateDevices = "yes"; | ||
| RestrictSUIDSGID = true; |
There was a problem hiding this comment.
Added some options stolen from the nginx and mysql NixOS modules
Is there something to change?
|
Sorry I've been really busy. I'll try to get back to this at some point over the next few weeks. |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
User should manually create his Fossil repositories, then point the Fossil server to them.
Allows to control what the Fossil server sees by setting chowns on fs, and makes it persist between reboots
stale
bot
removed
the
2.status: stale
Otherwise Fossil can't write to the repository file/repositories directory
A test for clone, push and pull between server and client
|
Updated for 21.05 and added a test - please review! @aanderse @SuperSandro2000 |
|
Resolved one merge conflict :) |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Is there no interest in this? |
|
@etu what is the best way to revive this attempt to get a Fossil service in Nix? |
|
You can continue the work in another PR. |
Motivation for this change
Fix #102220
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)